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SPECIFICATION 

A system and method for guaranteeing tho integrity of a gambling system 

5 This invention relates to secure systems, such OS gambling apparatus, and more particularly to a system for ^ 
guaranteeing the integrity of information content in the secure system, such as the control program of 
gambling apparatus. 

It is often the case in electronic gambling systems that a microprocessor electronics based gambling 
system can be customized for different types of play by changing a memory device (such as an EPROM) or 

10 by.changing the memory device contents (such as by remotely downloading data into a read-write memory 10 
■RAM or EPROM). However, it is currently the practice of some state gambling commissions, such as uew 
Jersey, U.S.A. to require a seal be applied to oil circuitry on each circuit board (including the EPROM or RAM) 
as part of the certification process. Thus, inventories must be maintained of the sealed boards for each of a 
piuraiily of ■• idCmf.es, both ir» ms'iUiu "luring output sr.d mointairiing a repair stock piie. This approach Is 

1 5 both costly and inefficient, inasmuch as mony machines have a common nucleus and utilize the same circuit j 5 
beard with a different control memory progrom for each of a plurality of games being selected by 
interchanging a memory device or its contents. 

Although this approach is costly and cumbersome, there has heretofore been no alternative technique 
provided to perform the important function of guaranteeing th« integrity of the gambling machines. 

20 I" accordance with one aspect of the present invention, a system is provided wherein data and associated 2 0 
validation information stored in a nonsecure location are verified as to integrity by cryptographic techniques. 
Good integrity verification activates the system to operate in a first mode, and bad integrity verification 
activates the system to operate in a second mode. In a preferred embodiment, the system is a gambling 
system, with a first mode corresponding to user responsive operation and the second mode corresponding 

25 to an alarm mode. Other systems whore tho present invention would be useful include postal metering, 25 
electronic mait, electronic funds transfer ond other secure data processing systems. 

In accordance with another aspect of the present invention, the system has an interface port for 
communicating with an external device, such as a central control computer. Data and associated validation 
information are loaded into memory in tho nonsecure location, and the system verifies the integrity of the 

30 data and associated validation information as stored in the memory by cryptographic techniques operatively 30 
relating the data to the associated validation word. The system is activated to either 3 first or second 
operative mode responsive to a verification result of good or bad integrity, respectively. 

For example, a central computer could download information to one or a plurality of remotely located 
systems which would cavil verify the integrity of the information received and stored in its respective 

35 memory. Where the remotely located systems are gambling systems, the downloaded information can be 35 
odds, conuc! programs, random numkr : t*edr>, etc. 

In accordance wan one of the illustrated embodiments of the present invention, a gambling apparatus is 
disclosed hcvirg a secure portion which is cuflifii:*! ond sealed by the Gaming Commission, and having a 
. nonsecure pori ; on. not sealed by the Gaming Commission, the integrity of which is verified by the secure 

40 portion. The secure portion of the ycimuling apparatus cornprisf.-s a circuit board having a lentral processor 40 
and a first memory. The nonsecure portion of the gambling apparatus is comprised of a second portion of 
the circuit board, or an independent circuit board, having 0 second memory such as a nonsecure ROM, 
EPROM, or read-write memory (RAM). Utilizing cryptographic techniques, the integrity of the nonsecure 
portion of the system is verified by the secure portion of the system. 

45 Tn e gambling system is operable in threo modes, and powers up in a test mode for verifying the integrity 45 
cf the gambling system. Where a positive verification is made that the nonsecure memory (e.g. ROM) has 
satisfactory integrity, the system is activated to on operable mode responsive to player user control inputs. 
Alternatively, where the results of tho test mode is a negative verification showing the nonsecure memory 
does not have good integrity, and gambling system is forced 10 an inoperable mode nonresponsive to player 

50 user control inputs, and an alarm is activated. 50 
The nonsecure portion of the circuit board, the integrity of which is cryptographir.ally detectable, has a first 
nonvolatile memory (such as a ROM, PROM, EPROM or EE PROM nonvolatile memory or a read-write I RAM) 
volatile memory) having a validation word stored therein, the validation word being derived from the first 
memory contents according to a first relationship. The validation word is formed by deriving a first value 

55 from the first memory's contents. The validation word is then derived from the first value by means of a 55 
nonpublic derivation having an inverse function. The validation word is then combined to form a part of the 
contents of the first memory. 

The secure portion of the circuit board has p* ocessor and a second nonvolatile memory mounted 
thereon. The integrity of the secure portion is overt and delectable, such as by physical seal. The secure 

50 portion of the board includes means for deriving a second value from the validation word of the first memory go 
mei ns of the inverse function. The secure portion also includes means for comparing the first and second 
values, and means tor verifying the integrity of the second memory. The verification means activates the 
gaming system to the user reponsivc ploy mode responsive to a comparison result of equality, or activates 
the gaming system to the user nonresponsive (alarm) mode responsive to a comparison result of inequality. 

55 The relationship for deriving the first value, the nonpublic relationship, ond the inverse relationship of the 55 
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non-public relationship, are such (hot interrelating or cross deriving cr.3 to another is very complex and an 
extremely difficult and time consuming task. In o preferred embodiment, the encryption function is secret 
and thi; inverse function is public. 

A better understanding of the invention may bo had from the following detailed examples, the detailed 
5 description being taken in conjunction with the accompanying drawings in which: 5 

Figure 1 is a perspective view of a gaming system such as a video slot gambling machine, illustrating one 
apparatus which can utilize the presont invention; 

Figure 2 is a top view showing ono embodiment of a circuit board as contained in the gaming system of 
Figure 1 having a secure portion and & nonsecure portion; 
10 Figure 3 is a flow chart illustrating one embodiment of the encryption method utilized in accordance with 10 
one embodiment of the present invention; 

Figure 4 is a flow chart of the decryption test method as utilized in accordance with one embodiment of the 
present invention; and 

figure SAD are computer program listings lor one embodiment of the present mention. 
15 Referring now to Figure 1,3 gaming system is shown illustrative of one embodiment of the present 15 
invention. A housing 100 is provided which contains the necessary human player control interfaces as well 
as electronic circuitry and mechanical circuitry. Human player control inputs are provided, such as push 
buttons 110 and control handle 120. A viewing area, 130 such as video screen is provided on the front of the 
cabinet housing 100 for player viewing of the gaming machine response to player inputs. Coin shoots 140 
20 are provided for accepting player cons and returning bent coins. The number of credits which the player has 20 
as well as the active game display arc provided on the visual display means 130. For example, the gaming 
system of Figure 1 ran be a dot machine gambling system having 3, 4. or any number of reels, or may 
alternatively ho— -her type of flaming or gambling system. Where applicbble, a pay out shoot 145 may be 
provided for outpuuing coins 10 winning players. 
25 The housing 100 also contairc .'jr. s!c.,iror»ic circuit board 200, as shown in Figure 2, which provides the £5 
control and game electronic circuitry necessary to create the desired gambling system in conjunction with 
the video display 130 and user interface controls 110 and 120. Additionally, the housing 100 contains 
necessary power iuppiies, limit switches, etc. necessary to implement the remainder of the desired gaming 
system. 

30 Referring to Figure 2, the circuit board 200 as discussed with reference to Figure 1 is shown in block 3 q 
diagram form. The circuit board 200 maybe comprised of a single circuit board or of a plurality of circuit 
boards with appropriate interconnections provided. The circuit board 200 is comprised of two functionally 
separate units, a sealed secured portion 210 and a nonsealed, nonsecure circuit portion 250. The sealed 
circuit board portion 210, as illustrated, contains a microprocessor 220, a read only memory {such as a ROM, 

35 PROM, or EPROM), and miscellaneous electronic and electromechanical circuitry 240. The sealed portion of 35 
the circuit board 210 represents the fcealod portion of the gaming system in a physical sealing manner which 
wouid comply with a particular State Gaming Commission's requirements. 

The nonsealed portion of live circuit board. 250, contains an interconnection socket 260 for a memory 
device, (e.g. for a RAM, ROM, PROM, or EPROM}. When the socket 260 provides interconnection for a 

40 read-write memory, RAM or EPROM, the data contents of the read-write memory can be downloaded into 40 
the read-write memory. For e/ampte, a control program can be down-loaded from a remote site into the 
read-write memory of a local ((ambling system via an interface port 270 (Figure 2) of the local gambling 
system ana tne downloaded program verified by the secure portion of the circuit board in accordance with 
the teachings of the present invention. Multiple gambling systems can be configured to meet crowd 

45 selection patterns by specifying control programs either locally or remotely for each system. The systems 45 
can also be selectively forced inoperative by downloading appropriate control programs. This portion of the 
circuit board is not physically sealed, and thus the memory inserted into the ROM socket 260 can easily be 
changed or interchanged . While this is desirable from the view point of minimizing spare parts stock piling 
and maximizing manufacturing flexibility, the nonsealed socket does pose security risks and problems. 

50 However, in accordance with the present invention, cryptographic techniques are utilized to verify the 50 
integrity of the nonsecure portion of the circuit board, 250, via means of cryptographic processing by the 
secure portion of the circuit board, 210. The microprocessor 220 may be of any type, with its selection being 
made based upon desired operating speed, instruction set capabilities, and cost considerations. In addition, 
the microprocessor 220 may be comprised of a plurality of circuits including a general purpose ' . 

55 microprocessor (of a 4, 3, 1 6, 32, t* to. bit* register length), in conjunction with special purpose peripheral 55 
processors and interface chips, such as number crunchers, fast Fourier processors, fast multipliers, etc. 

Referring to Figures 3 and 4, the methodology utilized to accomplish the invention of the illustrated 
embodiments can be more readily understood by reference to the encryption (Figure 3) and decryption 
(Figure 4) flowcharts. 

60 Referring to Figure 3, the encryption process utilized for creating a verifiably secure memory for insertion 
into the nonsealed socket 260 M Figure 21 is illuct rated in flow chart form. The procedure starts at step 300. 
Proceeding at step 310 the latt U bytes of the nonsecure memory are designated as a validation word W and 
reserved from the remaining contents of the nonsecure memory which is designed as the vector R. A control 
program which has been developed is loaded into the encryption systems memory and designated as the 

65 contents of the nonsealed and nonsecure memory (the vector R). The validation word W is as yet undefined 65 
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'.ll represent the encrypted key to insure the Integrity of the remainder of the contents of th- memory 

Lctlon'p^ ' an r" ,,e9ef V8,UC RR ' ' S C ° mpU,ed fr0m ,he VCC,0r R b V -eans of a one vv y pub ? : 
^ m ln? o ;» IS F a ° n ! W ^ °" m3PPi " 9 R im ° a " inte 9 erwhose ^9"^de is comparable to thatof one 
element of R.F need not be one to one. but should be such that changing R whi.e leaving RR) unchanged?, a 
5 difficult task. The function F ,s a public function in that it is also utilized in the encryption process and may be 
discovered or known by members ot tne public. process ana may be 

Proceeding to step 330. a validation word W is computed from the value F(R) by means of a secret function 
D(RR)) and EID) = 1. Thus, when the function E is utilized in the encryption process, E (W) should ecu-' «»' 

10 ?h " "T" 8 COn,e r. S °' ,hC ™ m0rV " he V6C,0r R and the va,idati °" w °' d W) has not beenumpered'w'iih 
Thus, the integrity of the contents of the nonsealed nonsecure memory can be verified ,ampered w,,h - 

JZT*»V°JX I™' Va ! id3,i0n WOfd W is p,aced in the memor Y locations which had been se, ajtW . 
;,V„'«r^ ,n " n ?"* e " ie0 memory. At this point the encryption proces has ended as evidenced at 

Z £ ? T If °' n ° nSealed mem0rY ,VeC, ° r R) P ' US the validation w ° rd (appropriately tocwed in 
15 the last N bytes) can be committed to the nonsecure and nonsealed memory (e.g. ROM EPROM RAM) 

For further details on one way mapping functions, and public key cyrptography concepts reference s 

made to tne literature ,n general, such as "A Method for Obtaining Digital Signatures and pLS c K c y 

Cryptoc.sm Systems , by R.L Rives., et al.. as published in the February. 1978, Volume 21, Number 2 i*swe of 

he CommuwcaoonsoftheACM, a, pages 120-126, hereby incorporated herein by refererie.TseMnd 

20 reference. The Mathematics of Public Key Cryptography" by Martin E. Hel.man. published in &.3ic 

American, pages 146-1 57. 1 9. deals generally with the mathematics involved in public key cr^ptoaraphv and 
« hereby incorporated herein by reference. Both of the aforementioned references deal wZe TneS' 
refe^! .£T I?™?* C ° m ™ ication «*!-». either fo, message transfer, or for funds transfer The 
*"* S ; themselves to techniques to prevent tampering with new electronic comr ,unica ion 

25 systems and fund transfer systems and means to protect the vast quantities of private information such as ~, 
cred, records and med.ca. history stored in computer data banks. Encryption and decryp- tion are utilized ,or 
r' t n < ,nf0r " a,, ° n S ° ,hat " is ™nte..igible and therefore useless to those who are not S have 
access to ,t. becondly. cryptographic techniques are utilized to insure that messages sent have not bee- 
tampered w.th. of cr.tical concern in electronic funds transfer. 

3C "earring to Figure 4. the decryption process is illustrated in flow chart form, illustrating one embodiment , n 

step InoThe D ro V r e ; ,,0n ' H Pr0CC " U ° V/ S,ar,S WhEn thG 9ambMn9 SyS,em ° f R 9»« 1 is'powerTd up Tt 30 
step 400. The process proceeds to step 410 where the system is set to the test mode, wherein .he system is 
nonresponsrve to players control inpu.s. The contents of the nonsealed port.on of the circuit board a ! 
examined by the secure sea.ed portion of the circuit board, by defining the las, N byte of "he nonsea led 
35 memory contents as the va.idation word W. and defining the remaining nonsea.ed memory contents as a « 
vector R, whose elements are .he individual words of the nonsealed memory 35 

™n eedm9 ' 35 ' S:ra,ed 31 S,6P 43 °' ,he int69er V3 ' ,J? " Q} is imputed for the nonsealed memory 

comm ZT'T rV he " * ° Uhe PUb ' iC fu " Cti °" F - Next - a " -^ger value E 5 ? 

computed from the val.dat.on word V/ based upon the public encryption function E. It will be re 'ailed .hat .he 

40 ll ' 5 6 ,nV K Se ° f ' he fUnC,i °" ° THUS ' E,W » = E,D(F,R, » = F(R > on, V when the coments o thL 40 
nonsealed memory have not been tampered with. 40 

The decryption process proceeds as illustrated at step 450. where the computed value FIR) is comoared to 

z zz7A v :::<i r- " f ,RI ; E(W) - ,hen ,he ime9ri,v of ,he nonseaied has ^s^z 

verified, and the gaming system flow proceeds as illustrated at step 480. The gaming system is set to a 
45 svslmhr"" 6 ? Per ^, b,e m ° de ' WhefCin « he C ° in Chu,e and user c ° ntr ° ls ™ activated and h gaming 45 
ImL , , P 3V K b k- 35 " IUS,ra,£d 31 S,CP 49 °- The COn,ro ' pr ° 9ram c °" tai ™ d in the nonseafed 

oZStan iSeSS S. Pr0CeSS ° r SCaled P ° ni0n ° f ,hC CirCuit board ' 21 °- and < h * gaming system 

Tnrnr edS "T' ? UperV,S,0n ° f ,he con,ro1 P'°9' am - * this point, the decryption and integrity 
verification procedure has been completed, as illustrated at step 500 

50 dP.fr r,n f baC «-° deCiSi ° n b '° Ck 45 °' Where ,he resul, of the comparison of F(R) and E(W) results in a 

S n Tslul S ,he PrOCedur ? ' ,,ow cominues as Mlus,rated at s,ep 4P0 - The of 

d OC P l ,n a , pla y er i nonres P°"^e alarm mode. The user controls become inoperative, and the system 

Z *70 At thisnT mk K° n,r01 Pr ° qram ' 33 Prefer3b,y S, ° red in ,he secure "-W ROM illu trated a, 
tiZZ non f T 6 m3Ch,ne ' S d,Sab!ed ' and ,he operator is inf0 ' m e d of the error condition The 
55 bZT n °k » mem0rV deVke 15 fem0Ved ,r ° m * he n0nsealed socke « and the °P^a.or can choose 
SYS^m k h 7 l VS,em d ° Wn ' ° r ,rVir ' 9 30 a ' ,ern,e n °"-«aled memory integrated circuit. Where the 
sys em is shut down, the procedural flow is ended. , s iilustraled at block 500 Where a new imeqVated circuit 
placed , n the ROM socket 460. the decryption procedure repeats starting again at step 400 wf.hTowe up 

n JSn o?, 3 h CC0rdanC ! Wi L h ,he discussion o f «he illustrated embodiment, herein, the ROM 230 in the sealed 60 
Ton on S £ ' :rCU > S° ar H', 2 c 1 n°' C ° n,SinS 3 veri,ica,i0 " P^' a - to monitor the security of the nonsealed 
Plub iclv ir a nf . 25 °: :° n,ainin9 P ' U99ed " n ° nSea,ed memor V 260. The function F is a 

non ST 8 SUCH ,ha ' ,he Si9na,Ure F,a) Pf0vides 3 public, V avai 'able signature of the 

65 nonsealed memory contents ,ess the validation check word W, while the encryption function E is publicly 65 
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available to provide for a publicly available encryption key check word E(W). By computing ihe validation 
check word W using a secret decryption key, function D, which is the inverse of the public encryption 
function E, the integrity of the entire contents of tht* nonsealed memory (both the validation word W and the 
remaining contents) can be protected and detected in accordance with the present invention's teachings. 
5 An example may be illustrative. Presume tho nonsealed mfemory to be protected is an EPROM having a 5 
capacity of 2048 bytes. The last 8 bytes aro sot o&ide as the validation word W, and the remainder is 
partitioned into 408 five byte words f D 0 , D t ... D*> ; ). Define 408 nrftsnecified integers (Pi, P 2 , ... Pao?) and an 
additional prespecified integer P^, Additionally, 0 large composite integer XNBase is prespecified. F(R) and 
E(W) can then be computed as follows: 

10 10 

; _ Ann 

F(R> =1 W> "(modulo XNB,'>se). 

i = o 

15 15 
E(W) = W P408 (modulo XNBase). 

The validation check procedure can bo modified slightly such that if F(R) plus E(W) (modulo XNBase) equal 

20 to 0 then the integrity of the EPROM is questioned and the system goes to the alarm mode. This example in 2 o 
its modified format has been implemented with a BASIC language program ind has been successfully tested 
on an EPROM from an electronic slot machine. Tho BASIC language program and EPROM object code 
hexdump listipc v : :: \ strated in F'qwet Sn-n\ WbiiP BASIC language was utilized in the illustrated program 
of Figure 5, any computer programming language could bo utilized with an appropriate system. In the 

25 illustrated system of Figure? 1 all arithmetic operations were exact modulo (XNBase), double precision 2 5 
numbers exact to 16 digits. However, other cryptographic mathematical techniques could be utilized equally 
wet!, and implemented in accordance witU Ihe teachings of the present invention. 

It will be understood by those skilled in tho or! that other fur.ctional and operative relationships between 
the data and validation information can bo used consistent with the teachings of the present invention. 

30 Furthermore, in performing the verification function, operative relationships in addition to or instead of 3u 
comparison can be used consistent with iho teachings of the present invention. 

While there have been described abovo vnrious embodiments of system and methods for guaranteeing 
the integrity of the control program of a gambling rnachino having sealed and nonsealed portions, for the 
purpose of illustrating the manner in which tho Invention may be used to advantage, it will be appreciated 

35 that the invention is not limited thereto. Accordingly, any modification, variation, or equivalent arrangement 35 
within the scope of the accompanying claims thould be considered to be within the scope of the invention. 

CLAIMS 

40 1. A system for selectively operating in one of a plurality of modes responsive to a determined system 40 
integrity comprising: 

(a) a nonsecure portion of the system hoving data and validation information in a portion therein, 
\'o) a secure portion of the system comprised of: 
O) means for deriving a first value from the data -according to a first relationship; 
45 (2) means for deriving a second value from eaid validation information by means of a second *e 
relationship, D 

(3) means for operatively relating said first and second values to determine system integrity. 

(4) means for activating said system to n selected operational mode responsive to said means for 
operatively relating, 

50 2. The system as in Claim 1 further chaructori/cd in thct said nonsecure portion comprises a memory. 50 

3. The system as in Claim 1 wherein the integrity of the nonsecure portion is cryptographically verifiable, 
and the integrity of the secure portion is noncryptographically verifiable. 

4. The system as in Claim 1 further characterized in that said validation information is derived from said 
data according to first and third relationships. 

55 5. The system as in Claim 4 wherein said second relationship is the inverse of the third relationship. 55 

6. The system as in Claim.1 further chnructorired in that said means for operatively relating provides bad 
and good system integrity outputs indicative of the determined system integrity. 

7. The system as in Claim 6 wherein said mr?ons for activating said system activates said system to a first 
operational mode responsive to good system integrity output and activates said system to a second 

50 operational mode to a bad system integrity output, 

8. The system as in Claim 1 further characterized in that said system is activated to a first operational ° 
mode responsive to a determination of good Byttem integrity and said system is activated to a second 
operational mode responsive to a determination of bad system integrity. 

9. The system as in Claim 7 or 8 further characterized in that said first operational mode is a normal 

65 operational mode, and said second opcrationo! mode is fin alarm mode. ec 

65 
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10. The system as in Claim 4 or 5 wherein said first and second relationships are public and said third - 
relationship is secret. 

11- The system as in Claim 4 or 5 wherein said first, second and third relationships are one way functions 

12. The system as .n Claim 1 wherein said first relationship is further characterized in that changing any " 
5 of the data changes the first value. 

13. They system as in Claim 1 further characterized as a gaming system. 5 

14. The system as in Claims 1 or 2 or 3 or 4 or 5 or 6 or 7 or 8 or 12 further characterized as a gaming 
system. * * 

15. The system as in Claim 10 further characterized as a gaming system. 
10 16. The system as in Claim 1 1 further characterized as a gaming system. 

17. The system as in Claim 9 further characterized as a gaming system. 10 

18. The system as in Claim 17 wherein said noraml operation mode is a player-responsive mode. 

19. The system as in Claim 13 further characterized in that said secure portion is physically sealed 

20. A system as in Claim 1 or 1 3 further characterized in that said data and validation information are 
15 loaded into said nonsecure portion from an apparatus remotely located relative to the system. 

21. The system as in Claim 1 or 13 wherein said nonsecure portion includes a memory, and said secure 
portion includes a processor and a memory. 

22. The system asln Claim 1 or 13 further comprising: 

interface means for communicating with a device external to the system, 
20 means for loading the nonsecure portion with received communications responsive to the interface 

means. 20 

23. The system as in Claim 22 wherein said received communications is further characterized as said 
data and validation information. 

24. The system as in Claim 22 further comprising: 



25 means for communicating the determined syslem integrity to a device external to the system. ^ 

25. The system as in Claim 1 or 13 whtr^in sAiricpmro nnrtinr. n fik a ^» AM : . " 

to said nonsecure portion 



_ . - ' — .w u gAicfnai iw imb &ybiem, 

The system as in Claim 1 or 13 wherein said secure portion of the system is remotely located relative 
nonsecure portion. 

26. The system as in Claim 1 or 13 wherein said secure portion comprises a processor and a memory 
wherein said processor executes instructions from said secure memory to derive said f'rst and second 

30 values. 

27. The system as in Claim 8 further characterized in that said first mode is a player responsive mode 3 ° 
and said second mode is a player nonresponsive mode. 

28. The method as in Claim 27 wherein said second mode activates an alarm. 

29 A system for insuring the integrity of a remotely located downloaded memory comprising* 
35 (a) a controller including encryption circuitry for deriving validation information from data by means of a •» 
first relationship and a second relationship having an inverse, 

(b) a system, remotely located relative to snid controller, including a memory. 

(c) means for communicating data and validation information from said controller to said remotely 
located system for storage in said memory, 

40 (d) verification means comprised of: 

0 ) means for deriving a first value from the data contents of the memory by said firs' relationship- 4 ° 
2 means for der.ving a second value from said validation information by said inverse relationship- 
(3) means for operattvely relating said first and second values for providing an output indicative of 
system mtegerity, and 

45 < 4 > means for manifesting an aclion responsive to said system integrity output. 45 

30. The system as in Claim 29 wherein said verification means is remotely located relative to said 
controller. 

31. The system as in Claim 30 further characterized in that said first relationship and inverse second 
relationship are public and said second relationship is secret. 

50 32. The system as in Claim 30 wherein said remotely located system is a gaming system. 50 

33. The system as in Claim 30 wherein said first, second and inverse relationships are one- way mapping 
functions. 

34. The system as in claim 30 wherein said action is further characterized as activating said system to a 
norma! operable mode responsive to an output of good system integrity, and activating said system to an 

55 alarm mode responsive to an output of bad system integrity, 

35. The system as in Claim 30 wherein coid remotely located system is further comprised of data 
processing means. 

36. The system as in Claim 30 wherein said controller is operatively coupled to selectively communicate 
with a plurality of remotely located systems. 

60 37. The system as in Claim 36 further characterized in that at least one of said remotely located systems 6 n 
is a gaming system. 7 ou 

38. The system as in Claim 37 wherein each of said remotely located systems is operatively configured 
responsive to communications from said controller to the respective remotely located system. 

39. A gaming system comprising: 
65 (a) a circuit board; 

65 
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(b) r. nonsecure portion of the circuit board, the integrity of which is cryptographically detectable, havir 
a memory having data and validation information stored therein, wherein the validation information is 
derived from the data information according to a public first relationship and a secret second relationship 
having a public inverse relationship; 
5 (c) a secure portion of the circuit board having processing elect ronic^^^^^^ hereon, the integrity of 
the secure portion being detectable, 
wherein said secure portion of the circuit board is further comprked of : 
(1 ) means for deriving o-firM value from the data omfpr, atopm according to he public first 
relationship, 

10 <2) means for deriving o eecond value from said validation word by means of said public inverse jq 
relationship, 

(3) means for operating on taid first and second values to provide an integrity signal, 

(4) means for activating said system to a first mode responsive to a first integrity signal indicative of 
good system integrity, and 

15 (5) means for activating eaid system to a second mode responsive to a second integrity signal 15 
indicative of bad system integrity, 

40. The system as in Claim 39 wherein said secure portion is further comprised of a processor and a 
second memory. 

41 . The system as in Claim 39 wherein said first, second and inverse second relationships are one-way 

20 functions. 2Q 

42. A system as in Claim 39; 

wherein said first relationthio has the characteristic that changing the contents of said memory changes 
said first y**' 

43. The system of Claim 39; 

25 wherein said second relation,',! Hp is a one-way trap-door function. 

44. A gaming system comprising: 

(a) a cabinet having a dicp'ay area and a user control; 

(b) a circuit board mounted within the cabinet; 

(c) a nonsecure portion of thfi circuit board, the integrity of which is cryptographically detectable, having 
30 a memory having data and validation information stored therein, wherein the validation infomation is 

derived, by means of a tecond relationship having an inverse relationship, from a first value derived from 
and changing according to o first relationship responsive to the data contents; 

(d) a secure portion of the circuit board having verifiably good integrity comprising: 

( 1 ) means for deriving a second value from the data contents of the first memory according to the first 
35 relationship, 

(2) means for deriving a third value from said validation information by means of said inverse 
relationship, 

(3) means for providing an integrity output responsive to opening on said second and third values, 

(4) means for activating taid system to a first mode responsive to a first integrity output, and 

40 (5) means for activating tairi system to a second mode responsive to a second integrity output. 40 

45. The system as in Claim 44 wherein said first integrity output is indicative of good system integrity, 
and said second integrity output is indicative of bad system integrity. 

46. The system as in Claim 45 wherein said first mode is further characterized as activating said system 
to a user control responsive syttem. 

45 alarm ^ SYStCm 3S C,D ' m 45 0r 46 wnerein said second mode is further characterized as activating an 45 

48. A gaming system opfcrable in a player responsive mode and an alarm mode, comprising: 

a first memory having data and validation information contents therein, wherein said validation 
information .s operatively attociated with the remaining contents of the nonsecure memory 
50 a secure memory; 

means for validating tho integrity of the first memory comprising : 

means for executing instructions from the secure memory so as to derive a first value operativelv 
associated with the data contents of the first memory; 
means for executing instructions from the secure memory so as to derive a second value operatively 
55 associated with the validation information; ^rduveiy 

means for providing a good/faulty system integrity result output responsive to operatively relating said 
Tirst and second values; 

intTgri^- C,!Va,i " 9 SVS,em X ° ™ de res P onsive to a resul « °"tP"» of faulty system 

60 goTdsyste^SS B ° minfl SVS,Cm 10 S3!d P ' 3Ver - resp0nsive mode 'esponsiv. to a result output of «, 

49. The system as in Claim 48: 

chatg'eTsa" Hrst^f '"^ CharaC,eriS,iC ,h « the c °"' e ™ °< "id first memory 

65 50 * A gaming system as in Claim 48 or 49; 

65 
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wherein said validation information is derived from said first value. 

51. The system as in Claim 48 wherein said first, second and inverse second relationships are one-wav 
functions. ' 

52. A system for insuring the integrity of information loaded into the system, comprising : 
5 (a) a memory having initially undefined contents; 

(b) means for loading data and validation information into the contents of the memory wherein said data 5 
is related to said validation information according to a public first and a secret second relationship* 

(c) means for verifying the integrity of the loaded contents comprising: 

( i J means for deriving a first value according to the first relationship responsive to the data contents of 
10 the memory, ,5UI 

(2) means for deriving a second value according to a public inverse of the second relationshiD >0 
responsive to the validation information, 

- (3) means for operatively relating the first and second values to provide an integrity output indicative 
of good and bad integrity of the memory contents, 
1 5 (d) means Tor controlling the operable status of the system further comprising : 

(1 ) means for activating said system to a normal operational mode responsive to the good inteqritv 1 5 
output, and 9 ' 

(2) means for activating said system to an alarm mode responsive to said bod integritv outout 

53. The system as in Claim 52: y 
20 wherein said system is a gaming system. 

54. The system as in Claim 53 further comprising: 20 
an interface port for communicating with an external device; 

sa^exxlml^ce * P0Ft f ° r ,03din9 S3id memorv wilh the communications received from 

25 55. The system as in Claim 53 or 54 wherein said memory is located in a nonsecure portion of the second ^ 

system, and said means for verifying the integrity and means for controlling the operable status are located 

in a secure portion of the second system. 
56. The system as in Claim 52 or 53 having user responsive input means, wherein said normal 

operational mode is further characterized as being responsive to said user responsive input means 
30 57. A method of controlling the operable mode of a system having a memory with data and validation ? n 

information contents, comprising the steps of: 'ueuon 30 

deriving a first value from the data contents according to a first relationship, 
deriving a second value from the validation information according to a second relationship- 
operatively relating said first and second valuesso as to determine system integrity 
35 activating the system to a selected operative mode responsive to the determined system integritv « 
58. The method as in Claim 57 further characterized in that said system is a gaming system 
59 The method as in Claim 57 further characterized in that said validation information is derived from 

said data content according to the first relationship and an inverse to the second relationship. 

60. The method as in Claim 59 further comprising the steps of: 

40 and Ct ' Vatin9 SVStem t0 3 n ° rmal ° perative mode res P° nsiv e to a determination of good system integrity, 40 

activating said system to an alarm operative mode responsive to a determination of bad system integritv 

61 . The method as in Claim 57 or 58 further comprising the steps of: 
making the first and second relationships public; 

45 maintaining the inverse to the second relationship in secrecy. 

62. The method as in Claim 57 or 58 further comprising the steps of: 

deriving said first value by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first value. 

63. The method as in Claim 62 wherein said validation information is derived from said first value further 
50 comprising the steps of: 

determining said second value from said validation information by means of an inverse derivation to that 50 
Dy which the validation information is obtained from the first value. 

64. A method for creating a memory having verifiable secure data contents comprising the steps of ■ 
deriving a first value from the data contents of the memory by a first relationship wherein changing 

55 contents of the memory changes the first value; — 

deriving a validation value from said first value by a second relationship having an inverse 55 
relationship;and 
storing and valida;:?** vp! j P in said memory contents. 

65. A method of verifying the integrity of a memory having data content and validation value content 

60 related to said data content by first and second relationships, comprising the steps of- fi0 
deriving a first value from the data content of the memory by the first relationship; 
deriving a second value from said validation value by an inverse to said second relationship- 
providing an integrity output indicative of good and bad system integrity responsive to operatively 
relating the first value and the second value; 

65 Providing a first activation signal response to said integrity output indenting good system integrity and 6 5 
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Drcviding a second 3Ctivation signal responsive to said integrity output indicating bad system ir.iegrity. 

'66. The method of Claim &4 or 65 wherein said first relationship and inverse second relationship are 
public and said second relationship is secret. 

68. In a system, having a seniod secure circuit portion comprising * processor and a first memory, said 
system also having an insecure circuit portion comprising a second memory, a method of insuring the 
integrity of the insecure portion of the system comprising the steps of; 

deriving a first value from the data content of the second memory by a first relationship wherein changing 
the contents of the second memory changes the first value; 

deriving a validation value from said first vafue by a second relationship having an inverse relationship 
and 

storing said validation value at a predefined location in said second memory. 
62. The method as in Claim 68 further comprising the steps of: 

ia) verifying the integrity of the second memory by means of said secure portion, further comprising the 
steps of: 

( 1 ) deriving a third value from the contents of the second memory by said first relationship; 

(2) deriving a fourth value from said validation value by said inverse relationship; and 

(3) operativeiy relating the third value to the fourth value and providing a relational output; and 
lb) controlling the operable status of the system further comprising the steps of: 

( 1 ) activating said gaming i.yr.tem to a normal-responsive mode responsive to said relational output 
2Q indicating good system integrity, and 

(2) activating the system to on ;ilnrm mode responsive to said relational output indicating bad system 
integrity. 

70. The metho ' ~f r !aim 68 n<- ' ■*r»H?r rhararterized in that sak' first and inverse second relationships 
are pubiic sr.ci . . ^conc* relationship is secret. 

71. The method of Claim 70 further rharacterized in that said second memory is nonvolatile. 

72. The method of Claim C8 or e'j further characterized in that system is a gaming system. 

73. The method of Claim 69 further characterized in that said normal-responsive mode is a player 
responsive mode, and said alarm mode is a player nonresponsive mode. 

74. A method of Claim 71 wherein s;iid step of operativeiy relating further comprises the steps of: 
comparing the magnitude of s;iid first and second values, and indicating said good system integrity by a 

relational result of equality, and indicating said bad system integrity by a relational result of inequality. 

75. Tiitr method of Claim 7 1 further characterized in that said first, second and inverse second 
relationships are one-way mapping functions. 

76. In a gaming system, having n pl.'iycr responsive mode and a player nonresponsive alarm mode, said 
system comprising a nonsecure memory having data and validation information, said validation information 
being operativeiy related to the data, r.;>id sytem also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 
memory, comprising the steps of: 

ia) executing instructions from the secure memory so as to derive a first value representative of the 
contents of the nonsecure memory; 

(b) executing instructions from tin; secure Memory so as to derive a second value representative of the 
validation word; 

fc) ODeratively relating the fir-.t ;hhI second values to provide an indication of system integrity; 

(d) activating said gaming r.yr.rem to said player nonresponsive alarm mode responsive to an indication 
45 of improper system integrity; 

(e) activating said gaming syMern to said player-responsive mode responsive tc an indication of good 
system integrity. 

77. The method as in Claim 70 further comprising the steps of: 

deriving said first value by me.mr; of a function which exhibits the characteristic that changing any of the 
5Q contents of the nonsecure memory changes the first value. 

78. The method as in Claim 77: 

wherein said validation word ir. derived from said first value, further comprising the steps of: 
determining said second value from said validation word by means of an inverse derivation to that by 
which the validation word is obtained from the first value. 

79. The method as in Claim 76 wherein said first value is derived by 
operativeiy relating said data to ;i first functional mapping; and 

further characterized in that said validation information is operativeiy related to said first value according 
to a second functional mapping, 
wherein said second value i:, derived by 

operativeiy relating said valid.-.t.on .information to an inverse of said second functional mapping 

80. The method of Claim 57 or Sft or 76 further comprising the steps of: 

communicating said data and ar.r.ociatcd validation information to the system from a source external to 
the system; 

storing said communicated data and associated validation information in said memory. 

81 . A method for controlling the operative mode of a system, having local and remote devices 
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responsive to determined integM / of communicated information comprising the steps co- 
operating upon data informant n\ tho remote device according to first and second relationships t- derive ' 
validation information, 

communicating said data and validation information from the remote device to the local device 
5 operating upon said data infor mat.on at the local device, according to said first relationship, to derive a 
first value; ° 5 

operating upon said validation information at said local device, according to en inverse of said second 
relationship, to derive a second value; 

controlling the operative mode of the- system responsive to opera.ively relating said first and second 
10 va'ues. 

82. The method as in Claim 81 further characterized in that there are a plurality of local devices, wherein 10 
the step of controlling the operative mode of the system further comprises the steps of* 

selectively controlling the operative mode of each of said local devices responsive to the operative 
relationships for each respective firM and second values. 
1 5 83. The method as in Claim 81 further comprising the steps of: 

deriving said first value by mear* of n function which exhibits the characteristic that changing any of the 1 5 
contents of the nonsecure memory channel tho first value. 

84. The method as in Claim 81 v/hfrrein r.oid validation information is derived from said first value further 
comprising the steps of: ' 

20 determining said second value Uoru said validation information by means of an inverse derivation to that ™ 
by wh'ch the validation word is otoamftd from the first value. 

85. 1 he method as in Claim 31 further characterized in that said first and inverse second functional 
relationships are public, and said ts',orirl functional relationship is secret. 

86. The method as in Claim 81 or 85 further characterized in that said first, second and inverse second 
25 tunctional relationships are one-v/a/ functions. 

87. A system for selectively opc/otmp, in one of a plurality of modes responsive to a determined system 25 
integrity substantially as herein d^cr.bed with reference to the accompanying drawings 

88. A system for insuring the lr,t<;gr,ty of a remotely located downloaded memory substantially as herein 
described with reference to the accompanying drawings. 

30 89. A gaming system substantially as herein described with reference to the accompanying drawings ™ 

90. A gaming system operable ir, a player responsive mode and an alarm mode substantially as herein 
described with reference to the accompanying drawings. 

91. A system for insuring the ir r^r.ty of information loaded into the system substantially a* herein 
described with reference to the accompanying drawings. 

35 92. Ameihodofcontrolli^^ 

information contents substantially D * hercn described with reference to the accompanying drawings 

93. A method for creating a rnc-.ory havincj verifiable secure data contents substantially as herein 
aescribed with reierence to the accompanying drawing 

94. A method for verifying the- .r.^my of a memory having data content and validaton value content 

40 related to ss.d data content by first W l second relationships substantially as herein described with reference 40 
to the accompanying drawings. 

95. In a system, having a seal*;*; wmu- drci... portion comprising a processor and a first memory, said 
system also having an insecure c.r v;.t portion comprising a second memory, a method of insuring 'he 
integrity of the insecure portion of ?r,». v,Mem substantially as herein described with reference to the 

45 accompanying drawings. 

96. In a gaming system, having a player responsive mode and a piayer nonresponsive alarm mode said ^ 
system comprising a nonsecure rwr.ory having data and validation information, said validation information 
being operat.vely related to the data, said system also having a secure memory, a method for selectively, 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 

50 m emory, substantially as herein dwr.r,ed with reference to the accompanying drawings. c 0 

97. A method for controlling tf ■* curative mode of a system, having local and remote devices 
responsive to determined integrity 0 1 communicated information substantially as herein described with 
reference to the accompanying dr:;//mfl:.. 
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